A Sophisticated Ursnif Malware variant using manipulated TLS call back Anti-Analysis Technique while injecting the Child Process for changing the entry point.

TLS (Thread Local Storage) call backs used for additional initialization and termination that provided by Windows operating system.

Malicious TLS Allows PE files to include malicious TLS callback functions to be executed prior to the AddressOfEntryPoint field in the PE header.

In this case, during analysis phase where analysts trying to find the actual entry point to malcode but Malicious TLS callback function leads to execute the malcode Prior to the Common entry point AddressOfEntryPoint.

The Entry Point (AddressOfEntryPoint) defined in the PECOFFformat for executable files refers to location in memory where the first instruction of execution will be placed

unlike Ursnif, Many Malware binaries and packers are using CreateRemoteThread Windows API functions to change the entry point for injecting the Process in the memory.

Ursnif Malware Analysis & Distribution

The initial distribution of Ursnif spreading via spam Email campaign with company order related mail contents and once we click the “Review document” then malware downloads a ZIP file named YourMYOBSupply_Order.zip.

The zip file contains a malicious javascript, once it gets executed then it Ursnif/Gozi-ISFB will be downloaded and executed.

Since command & Control server communication completely established HTTPS, it’s very difficult to find through analyzing the normal network activities.

During the Execution process, Ursnif malware tries to create a child process named svchost.exe using CreateProcessW API function in suspended mode.

According to FireEye,Next, for process hollowing of svchost.exe, the malware creates a section object and maps the section using ZwMapViewOfSection.

It uses the memset function to fill the mapped section with zeroes, and then leverages memcpy to copy the unpacked DLL to that region. The malware then resolves three lower level API functions by walking the ntdll.dll module.

Once the new region of memory allocated it construct the entry shellcode in the new memory space.to identify the mapped session of the child process it reads out the PEB(process environment block) structure of the process using a call to ZwReadVirtualMemory.

After this task accomplished, Ursnif Malware trying to change the PE Header Protection permissions and gain the write permission.

Later it will write 8 bytes of the buffer at offset 0x40 in the entry point of the svchost.exe process executable in the target child process.

Region protection back to normal(“read only”) to avoid the suspicion once it successfully writes the buffer.

Again, it repeats the procedure of changing protections for the PE image of svchost.exe to write 8 bytes at an offset of 0x198 bytes from the start of the process executable.

Ursnif using standard DLLMaincall entry point to initialize the injected DLL image and execute its entry.

“This newer variant shows that actors are not only modifying the malware to evade signatures, they are also equipping them with stealthier techniques. Unaware debugging environments or detection frameworks can potentially miss the actual hidden TLS callback entry point, allowing the malware to perform its malicious activities under the hood.”